fail2ban and apf firewall are 2 server ​tools that automatically ban attackers ip. It is necessary, when installed together, ​to configure fail2ban to work with apf. Otherwise, there will be a conflict in iptables ​rules. ​See http://askubuntu.com/questions/124994/​how-to-set-fail2ban-with-apf for details.

+

The first thing to do on a Linux server is to install a firewall ​with strict default ​rules. ​I use [[https://help.ubuntu.com/community/UFW (Uncomplicated FireWall)]] which is the default on Ubuntu:

-

===== ddos-deflate =====

+

sudo apt-get install ufw

+

+

UFW relies on iptables to manage easily network rules.

-

This is a simple script that automatically ban ip when the number of connections exceed what is configured. See https://​antiddos.eu/​en/​news/​item/​20.

+

After installed, ufw is not yet enable. ​This is a good thing because it is better to add you IP on the white liste first, otherwise you could be locked outside your remote server. You also have to allow SSH port to access the server remotely.

-

**Note**: ​if you have an error "$CONF not found" when running the script, you mau change ​the first line of the script from:

+

# Allow your IP(xxx.xxx.xxx.xxx)

+

sudo ufw allow from xxx.xxx.xxx.xxx

+

+

# Allow SSH

+

sudo ufw allow 22

+

+

# Allow also HTTP and HTTPS if you have a web server

+

sudo ufw allow 80

+

sudo ufw allow 443

+

+

After that, you can safely enable ​the firewall:

-

​#!/bin/sh

+

​sudo ufw enable

​

​

-

to:

+

To check status:

-

​#!/bin/bash

+

​sudo ufw status verbose

​

​

-

Same thing in the cron job.

+

Then, to ban an IP:

+

sudo ufw deny from yyy.yyy.yyy.yyy

+

+

:!: In fact, it is better to add rules at the beginning of the list, because for iptables and ufw, the first rule matching an IP is applied, and other are ignored. It means that if your deny rule is after a rule allowing a port for all IP, it will be ignored. To do that:

+

+

sudo ufw insert 1 deny from yyy.yyy.yyy.yyy

+

+

===== fail2ban and UFW =====

+

+

fail2ban is a server deamon that automatically ban attackers ip. To do that, fail2ban reads system logs (especially ///​var/​log/​auth.log//​ and add a rule to block IP adress that try to access illegaly your server. It is usefull to block unwanted ssh access.

+

+

It is necessary, when installed with ufw, to configure fail2ban to work with ufw. Otherwise, there will be a conflict ​in iptables rules.

+

+

First create a action for ufw in fail2ban configuration:​

+

+

<file ini /​etc/​fail2ban/​action.d/​ufw-ssh.conf>​

+

[Definition]

+

actionstart =

+

actionstop =

+

actioncheck =

+

actionban = ufw insert 1 deny from <ip> to any app OpenSSH

+

actionunban = ufw delete deny from <ip> to any app OpenSSH

+

</​file>​

+

+

Then activate ssh jail by modifying ///​etc/​fail2ban/​jail.conf//​. I also decided to ban for 1 year attackers:​

+

+

<code ini>

+

...

+

+

# Ignore my own IP in order to avoid being locked outside

+

ignoreip = 127.0.0.1/8 xxx.xxx.xxx.xxx

+

+

# "​bantime"​ is the number of seconds that a host is banned.

+

# 1 year

+

bantime ​ = 31536000

+

+

# Default banning action

+

banaction = ufw-ssh

+

+

# Activate ssh jail

+

[ssh]

+

enabled ​ = true

+

port = ssh

+

filter ​ = sshd

+

logpath ​ = /​var/​log/​auth.log

+

maxretry = 6

+

+

[ssh-ddos]

+

enabled ​ = true

+

port = ssh

+

filter ​ = sshd-ddos

+

logpath ​ = /​var/​log/​auth.log

+

maxretry = 6

+

+

...

+

</​code>​

+

+

Finally, reload configuration:​

+

+

sudo service fail2ban restart

+

+

===== Under DDOS attack? =====

+

+

The following command can help you identify ddos attacks and IP adresses which are at the source of the attack:

Usually when you have a high number of open connections,​ like here for yyy.yyy.yyy.yyy,​ it is probably that this ip tries to DDOS you. That's time to ban it using ufw.

+

===== nmd =====

+

+

No More DDOS (nmd) is a simple script that automatically ban ip when the number of connections exceed what is configured. See http://​us.informatiweb-pro.net/​system-admin/​linux/​17--debian-ubuntu-centos-block-ddos-attacks-with-no-more-ddos-formerly-ddos-deflate.html. (By Lionel Eppe)

+

+

I modified a little the script in order to use ufw to ban adresses. Also, there is an issue with the installed ​cron script:

+

- The name of the cron script must not contain dot (modify CRON variable in ///​usr/​local/​nmd/​ndm.conf/​agent.conf//​.